Thumb consists of a subset of 32 bit ARM instructions into a 16 bit instruction set. Thumb should only be used for memory constrained environments, because it usually has higher performances than normal ARM code on a processor with a 16 bit data bus, but lower performances on a processor with a 32 bit data bus.

There are different methods to enter and leave the thumb state, in the following example we will see one of the most used methods, it consists in turning on the least-significant bit of the program counter and call the BX (Branch and Exchange) instruction.

Thumb version for the execve shellcode

This is the source code for the new execve shellcode in Thumb mode (file: execveT.s)

As you can see from the above output, it is not possible to make use of the socketcall syscall, but we can use directly the socket syscall :). Let’s look at how to call the socket syscall with its respective parameters

We can see that in msg_buf the shellcode was not copied, this is because the shellcode contains null characters.
To solve this problem, we can create a simple encoder: our encoding will be in a simple addition 🙂